Is your business ready for GDPR?
The European General Data Protection Regulation (GDPR) is coming into force on May 25 and is set to be the biggest ever shake-up of personal privacy rules. GDPR is a new set of legislation governing the use of personal data by companies and organisations in the EU, introducing stricter regulations on the treatment of personal data.
It’s replacing the Data Protection Directive 95/46/ EC, reflecting the changing nature and scope of the digital economy, and the EU’s GDPR website says it “was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens’ data privacy, and to reshape the way organisations across the region approach data privacy”.
The clock is now ticking for companies to be fully compliant by the time the regulation arrives, but according to research released by the Federation of Small Business last month, 90% of UK small businesses are still not prepared for the introduction of GDPR.
It’s important you take the changes seriously and work quickly to understand what action is required of your salon or spa to be compliant. “GDPR puts you in the shoes of the customer and it should be seen as an exciting opportunity rather than an intimidating task,” says Luke Wilkinson, marketing manager at salon software provider Shortcuts.
What does GDPR mean for my salon?
The regulation is overhauling how your salon can process and handle clients’ data. “It’s going to be mandatory for all businesses to collect, house and protect their clients’ personal data and information in a secure manner,” says Connor Keppel, head of marketing at Phorest, which specialises in software for salons and spas.
“This is particularly interesting in the hair and beauty industry as salons collect so much personal data from their clients, ranging from simple contact details through to very sensitive medical records.”
Salons now need to take extra care when collecting information, from emails and phone numbers to treatment preferences, as Madeleine Raynel, Treatwell’s director of city management for UK & IE, explains. “Increased awareness around the issue of personal data storage means customers need to be able to trust salons are playing their part. There is a risk of losing customers if they think you’re not being careful, or even worse, reckless with their personal data.”
She adds: “Big turn offs include mass emails without permission and spam texts, which are also illegal. It’s a great opportunity for salons to show their customers just how responsible, trustworthy and empathetic they are.”
The regulation also requires salon owners to provide a clear audit trail as to how data is collected, stored and used, as you will not be able to use someone’s personal information without their consent. Plus, there is now a requirement to report any data breaches such as cyber attacks and accidental leaks to authorities within 72 hours.
What are the risks of not being compliant?
Those in non-compliance could face heavy charges – the EU’s GDPR website states that organisations can be fined up to €20 million or 4% of their annual turnover for breaching the rules. However, this is the maximum fine that can be imposed “for the most serious infringements” – for example, not having customer consent to process data.
There is also a tiered approach to fines; for example, “a company can be fined 2% for not having its records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment,” the website states.
It’s also important to note that Brexit will not affect your need to comply. “If your data is captured, processed or used in the EU, you are obligated to comply. The UK’s decision to leave has no effect on the new regulation,” says data protection advisor Paula Tighe.
The Government has said the same rules will continue to apply after the UK formally leaves the EU, with GDPR standards to be enshrined in UK statute in the Data Protection Bill currently going through Parliament.
How do I get my salon GDPR ready?
GDPR aims to give individuals better control over their personal data, so it’s crucial you review existing procedures for dealing with it and amend where necessary. “Your customers’ data must be processed lawfully, fairly and in a transparent method. Depending on your salon, opt-in permissions might be necessary. For example, obtaining permission to record medical information is essential,” explains Wilkinson.
Shortcuts has configured its software to allow you to align your business with the new legislation, providing an automated mechanism to remove the details of customers who haven’t visited within a specific number of years, to be able to define an age of consent and specific opt-in details for each client.
It’s also worth talking to your current software provider to find out what new functions they’re offering to help you get GDPR-ready. Software provider Salon Genius is helping existing and new accounts prepare by “adding a signature to our MyGenius data collector, proving the client has approved the choices or changes,” says Salon Genius’s marketing executive Tom Pickering.
“GDPR is a great time to cleanse your data to ensure when you are marketing to clients you are targeting the correct people with the correct information.”
Meanwhile, there will be more reminders and prompts in Treatwell’s Treatwell Connect – the company’s salon management software – to ensure partner salons and spas have got the consent they need from their customers. “It’s not just about our partners taking responsibility, we will also ensure they have full visibility and control over the management of their calendars, and who in their teams have access,” adds Raynel.
You will also need to record the actions you take to comply with GDPR via documents such as a data protection policy and data-handling procedures manual. “Compliance is not about preventing you from doing things, instead, it helps improve standards by questioning your reasons and motives,” says Tighe.
“Make sure you review your processes, including how you obtained consent from the individuals concerned. Also review your existing digital and hard copy format privacy notices and policies – are they concise, written in clear language, easy to understand and easily found?”
It’s worth assigning someone in your business to be the privacy officer, responsible for monitoring compliance, and it’s even worth investing in GDPR training for your team.
“Business owners need to consider training staff to look after customer data correctly and be aware of the general obligations around privacy as a result of GDPR,” says Andrew Long, data privacy officer for salon and spa software provider Timely. “Internal documentation will also need to be created to document-related procedures.”
Timely is providing GDPR-related help documents for its accounts to explain how they are going to help them meet the regulation. The company is also executing many of the main GDPR requirements in its software. For example, when clients book online with your business for the first time, they will be required to grant consent to store their information.
What is a Subject Access Request?
Under GDPR’s legislation, a client is entitled to request a Subject Access Request (SAR) from your salon and “you will have to produce all information you hold on that person to them free of charge within 30 days,” explains Keppel. “If a salon is using pen and paper, and maybe an online email tool, for example, it will be virtually impossible to provide all the data above. Also, how do you delete a client’s details from a paper system if you have multiple entries in different diaries?”
Phorest’s Salon Software has compliant consultation forms so all clients’ details are recorded in a traceable way as per GDPR regulations and all data is fully encrypted for protection. In terms of salon marketing, it provides filters and tools to create campaigns using email, social media and SMS but ensuring all clients are correctly opted-in.
If a client does ask for a SAR “you can refuse to comply if you think the request has no merit, but you must tell them why and explain that they can complain to the regulator,” explains Tighe.